Controlling the use of the RACDCERT command

Authority to the IRR.DIGTCERT.function resource in the FACILITY class allows a user to issue the RACDCERT command. To issue the RACDCERT command, users must have one of the following authorities:

The SPECIAL attribute
Sufficient authority to resource IRR.DIGTCERT.function in the FACILITY class.
- READ access to IRR.DIGTCERT.function to issue the RACDCERT command for themselves.
- UPDATE access to IRR.DIGTCERT.function to issue the RACDCERT command for others.
- CONTROL access to IRR.DIGTCERT.function to issue the RACDCERT command for SITE and CERTAUTH certificates. (This authority also has other uses.)
- CONTROL access to IRR.DGTCERT.LIST to issue the RACDCERT command with the LISTCHAIN keyword.

For detailed information about the RACDCERT command and the authority required to execute each command, see z/OS Security Server RACF Command Language Reference.

Note that users who have insufficient authority to the IRR.DIGTCERT.LIST resource can use the RACDCERT CHECKCERT command to display some digital certificate information if they have READ authority to the data set containing the certificate. The output they receive reflects only the certificate information contained in the data set. Because they lack sufficient authority to the IRR.DIGTCERT.LIST resource, they will not receive certificate information contained in the RACF® database, such as the TRUST status, the LABEL, or the RACF user ID associated with the certificate. For an example of this output, see Examples of checking digital certificate information.

Unlike the other RACDCERT functions, there is only one access level for LISTCHAIN, which is CONTROL. Only users who have CONTROL authority to the IRR.DIGTCERT.LIST resource can use the RACDCERT LISTCHAIN command to display information about the certificates in the chain.